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Foreword 



id , 



This Technical Specification (TS) has been produced by the 3 Generation Partnership Project (3GPP). 

The contents of the present document are subject to continuing work within the TSG and may change following formal 
TSG approval. Should the TSG modify the contents of the present document, it will be re-released by the TSG with an 
identifying change of release date and an increase in version number as follows: 

Version x.y.z 

where: 

x the first digit: 

1 presented to TSG for information; 

2 presented to TSG for approval; 

3 or greater indicates TSG approved document under change control. 

y the second digit is incremented for all changes of substance, i.e. technical enhancements, corrections, 
updates, etc. 

z the third digit is incremented when editorial only changes have been incorporated in the document. 



Introduction 



This document has been prepared by the 3GPP Task Force, and contains an example set of algorithms which may be 
used as the authentication and key generation functions fl,fl*, J2, f3,f4,f5 and/5*. (It is not mandatory that the 
particular algorithms specified in this document are used — all seven functions are operator-specifiable rather than 
being fully standardised). This document is one five, which between them form the entire specification of the example 
algorithms, entitled: 

3GPP TS 35.205: "3rd Generation Partnership Project; Technical Specification Group Services and System 
Aspects; 3G Security; Specification of the MILENAGE Algorithm Set: An example algorithm set for the 3GPP 
authentication and key generation functions fl, fl*, f2, f3, f4, f5 and f5*; 
Document 1: General". 

3GPP TS 35.206: "3rd Generation Partnership Project; Technical Specification Group Services and System 
Aspects; 3G Security; Specification of the MILENAGE Algorithm Set: An example algorithm set for the 3GPP 
authentication and key generation functions fl, fl*, f2, f3, f4, f5 and f5*; 
Document 2: Algorithm Specification". 

3GPP TS 35.207: "3rd Generation Partnership Project; Technical Specification Group Services and System 
Aspects; 3G Security; Specification of the MILENAGE Algorithm Set: An example algorithm set for the 3GPP 
authentication and key generation functions fl, fl*, f2, f3, f4, f5 and f5*; 
Document 3: Implementors' Test Data". 

- 3GPP TS 35.208: "3rd Generation Partnership Project; Technical Specification Group Services and System 
Aspects; 3G Security; Specification of the MILENAGE Algorithm Set: An example algorithm set for the 3GPP 
authentication and key generation functions fl, fl*, f2, f3, f4, f5 and f5*; 
Document 4: Design Conformance Test Data". 

3GPP TR 35.909: "3rd Generation Partnership Project; Technical Specification Group Services and System 
Aspects; 3G Security; Specification of the MILENAGE Algorithm Set: An example algorithm set for the 3GPP 
authentication and key generation functions fl, fl*, f2, f3, f4, f5 and f5*; 
Document 5: Summary and results of design and evaluation". 
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The name "MILENAGE" 



The name of this algorithm set is "MILENAGE". It should be pronounced like a French word — something like "mi- 
le-nahj". 



Outline of the document 



Section 2 introduces the algorithms and describes the notation used in the subsequent sections. 

Section 3 explains how the algorithms are designed as a framework in such a way that various "customising 
components" can be selected in order to customise the algorithm for a particular operator. 

Section 4 defines the example algorithms. The algorithm framework is defined in section 4.1; in section 4.2, specific 
instances of the components are selected to define the specific example algorithm set. 

Section 5 explains various options and considerations for implementation of the algorithms, including considerations to 
be borne in mind when modifying the customising components. 

Illustrative pictures are given in Annex 1 . Annex 2 gives a specification of the block cipher algorithm which is used as a 
cryptographic kernel in the definition of the example algorithms. Annexes 3 and 4 contain source code in the C 
programming language: Annex 3 gives a complete and straightforward implementation of the algorithm set, while 
Annex 4 gives an example of an alternative high-performance implementation just of the kernel function. 

1.1 References 

The following documents contain provisions which, through reference in this text, constitute provisions of the present 
document. 

• References are either specific (identified by date of publication, edition number, version number, etc.) or 
non-specific. 

• For a specific reference, subsequent revisions do not apply. 

• For a non-specific reference, the latest version applies. In the case of a reference to a 3GPP document (including 
a GSM document), a non-specific reference implicitly refers to the latest version of that document in the same 
Release as the present document. 

[1] 3GPP TS 33.102 v3.5.0: "3rd Generation Partnership Project; Technical Specification Group 

Services and System Aspects; 3G Security; Security Architecture". 

[2] 3GPP TS 33.105 v3.4.0: "3rd Generation Partnership Project; Technical Specification Group 

Services and System Aspects; 3G Security; Cryptographic Algorithm Requirements". 

[3] 3GPP TS 35.206: "3rd Generation Partnership Project; Technical Specification Group Services 

and System Aspects; 3G Security; Specification of the MILENAGE Algorithm Set: An example 
algorithm set for the 3GPP authentication and key generation functions fl, fl*, f2, G, f4, f5 and 
f5*; Document 2: Algorithm Specification" (this document). 

[4] 3GPP TS 35.207: "3rd Generation Partnership Project; Technical Specification Group Services 

and System Aspects; 3G Security; Specification of the MILENAGE Algorithm Set: An example 
algorithm set for the 3GPP authentication and key generation functions fl, fl*, f2, G, f4, f5 and 
f5*; Document 3: Implementors' Test Data". 

[5] 3GPP TS 35.208: "3rd Generation Partnership Project; Technical Specification Group Services 

and System Aspects; 3G Security; Specification of the MILENAGE Algorithm Set: An example 
algorithm set for the 3GPP authentication and key generation functions fl, fl*, f2, G, f4, f5 and 
f5*; Document 4: Design Conformance Test Data". 
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[6] Joan Daemen and Vincent Rijmen: "AES Proposal: Rijndael", available at 

http://csrc.nist.gov/encryption/aes/round2/AESAlgs/Riindael/Riindael.pdf or 
http://www.esat.kuleuven.ac.be/~riimen/riindael/riindaeldocV2.zip 

[7] http://csrc.nist.gov/encryption/aes/ 

[8] Thomas S. Messerges, "Securing the AES finalists against Power Analysis Attacks", in FSE 2000, 

Seventh Fast Software Encryption Workshop, ed. Schneier, Springer Verlag, 2000. 

[9] P. C. Kocher, "Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other 

Systems", in CRYPTO'96, Lecture Notes in Computer Science #1 109, Springer Verlag, 1996. 

[10] J. Kelsey, B. Schneier, D. Wagner, C. Hall, "Side Channel Cryptanalysis of Product Ciphers", in 

ESORICS'98, Lecture Notes in Computer Science #1485, Springer Verlag, 1998. 

[11] L. Goubin, J. Patarin, "DES and differential power analysis", in CHES'99, Lecture Notes in 

Computer Science #1717, Springer Verlag, 1999. 

[12] P. Kocher, J. Jaffe, B. Jun, "Differential Power Analysis", in CRYPTO'99, Lecture Notes in 

Computer Science #1666, Springer Verlag, 1999. 

[13] L. Goubin, J.-S. Coron, "On boolean and arithmetic masking against differential power analysis", 

in CHES'OO, Lecture Notes in Computer Science series, Springer Verlag (to appear). 



INTRODUCTORY INFORMATION 



2.1 Introduction 

Within the security architecture of the 3GPP system there are seven security functions/7, /7*,/2,/3,/4,/5 and/5*. 
The operation of these functions falls within the domain of one operator, and the functions are therefore to be specified 
by each operator rather than being fully standardised. The algorithms specified in this document are examples that may 
be used by an operator who does not wish to design his own. 

The inputs and outputs of all seven algorithms are defined in section 2.4. 

2.2 Notation 

2.2.1 Radix 

We use the prefix Ox to indicate hexadecimal numbers. 

2.2.2 Conventions 

We use the assignment operator '=', as used in several programming languages. When we write 

<variable> = <expression> 
we mean that <variable> assumes the value that <expression> had before the assignment took place. For instance, 

x = x + y + 3 
means 

(new value of x) becomes (old value of x) + (old value of y) + 3. 

2.2.3 Bit/Byte ordering 

All data variables in this specification are presented with the most significant bit (or byte) on the left hand side and the 
least significant bit (or byte) on the right hand side. Where a variable is broken down into a number of substrings, the 
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leftmost (most significant) substring is numbered 0, the next most significant is numbered 1, and so on through to the 
least significant. 



2.2.4 List of Symbols 



© 
ii 

E[x] k 
rot(x,r) 



X[i] 



The assignment operator. 

The bitwise exclusive-OR operation 

The concatenation of the two operands. 

The result of applying a block cipher encryption to the input value x using the key k. 

The result of cyclically rotating the 128-bit value x by r bit positions towards the most significant 

bit. If x = x[0] II x[l] II . . . x[127], and y = rot(x,r), 

then y = x[r] II x[r+l] II ... x[127] II x[0] II x[l] II x[r-l]. 



The r bit of the variable X. (X = X[0] II X[l] II X[2] 



). 



2.3 List of Variables 

AK a 48-bit anonymity key that is the output of either of the functions /5 and/5*. 

AMF a 16-bit authentication management field that is an input to the functions/7 and/7*. 

cl,c2,c3,c4,c5 128-bit constants, which are XORed onto intermediate variables. 

CK a 128-bit confidentiality key that is the output of the function/3. 

IK a 128-bit integrity key that is the output of the function/4. 

INI a 128 -bit value constructed from SQN and AMF and used in the computation of the functions /7 

and/7*. 
K a 128-bit subscriber key that is an input to the functions /7,/7*,/2,/3,/4,/5 and/5*. 

MAC- A a 64-bit network authentication code that is the output of the function/7. 

MAC-S a 64-bit resynchronisation authentication code that is the output of the function/7*. 

OP a 128-bit Operator Variant Algorithm Configuration Field that is a component of the functions/7, 

/7*,/2,/3,/4,/5 and/5*. 
OP c a 128-bit value derived from OP and K and used within the computation of the functions. 

OUTl,OUT2,OUT3,OUT4,OUT5 

128-bit computed values from which the outputs of the functions /7,/7*,/2,/3,/4,/5 and/5* are 

obtained. 
rl,r2,r3,r4,r5 integers in the range 0-127 inclusive, which define amounts by which intermediate variables are 

cyclically rotated. 
RAND a 128-bit random challenge that is an input to the functions /7,/7*,/2,/3,/4,/5 and/5*. 

RES a 64-bit signed response that is the output of the function/2. 

SQN a 48-bit sequence number that is an input to either of the functions /7 and/7*. (For/7* this input 

is more precisely called SQN M s) 
TEMP a 128-bit value used within the computation of the functions. 

2.4 Algorithm Inputs and Outputs 

The inputs to the algorithms are given in tables 1 and 2, the outputs in tables 3-9 below. 

Table 1 : inputs to f1 and f1 * 



Parameter 


Size (bits) 


Comment 


K 


128 


Subscriber key K[0]...K[127] 


RAND 


128 


Random challenge RAND[0]...RAND[127] 


SQN 


48 


Sequence number SQN[0]...SQN[47]. (For frthis input is 
more precisely called SQNms-) 


AMF 


16 


Authentication management field AMF[0]...AMF[15] 



Table 2: inputs to f2, f3, f4, f5 and f5* 



Parameter 


Size (bits) 


Comment 


K 


128 


Subscriber key K[0]...K[127] 


RAND 


128 


Random challenge RAND[0]...RAND[127] 
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Table 3: 11 output 



Parameter 


Size (bits) 


Comment 


MAC-A 


64 


Network authentication code MAC-AfO] . . . MAC 


■A[63] 


Table 4: 11* output 


Parameter 


Size (bits) 


Comment 


MAC-S 


64 


Resynch authentication code MAC-S[0]...MAC 


-S[63] 


Tables. 12 output 


Parameter 


Size (bits) 


Comment 


RES 


64 


Response RES[0]...RES[63] 


Table 6. 13 output 


Parameter 


Size (bits) 


Comment 


CK 


128 


Confidentiality key CK[0] . . . CK[1 27] 


Table 7. 14 output 


Parameter 


Size (bits) 


Comment 


IK 


128 


Integrity key IK[0]...IK[127] 


Table 8. 15 output 


Parameter 


Size (bits) 


Comment 


AK 


48 


Anonymity key AK[0]...AK[47] 


Table 9. 15* output 


Parameter 


Size (bits) 


Comment 


AK 


48 


Resynch anonymity key AK[0]...AK[47] 



Note: Both f5 and f5* outputs are called AK according to reference [2]. In practice only one of them will be calculated 
in each instance of the authentication and key agreement procedure. 



3 The algorithm framework and the specific example 

algorithms 

The example algorithm set makes use of the following components: 

A block cipher encryption function, which takes a 128-bit input and a 128-bit key and returns a 128-bit output. 
If the input is x, the key is k and the output is y, we write y = E[x] k . 

A 128-bit value OP. This is an Operator Variant Algorithm Configuration Field, which the Task Force was 
asked to include as a simple means to provide separation between the functionality of the algorithms when used 
by different operators. It is left to each operator to select a value for OP. The algorithm set is designed to be 
secure whether or not OP is publicly known; however, operators may see some advantage in keeping their value 
of OP secret. This and other aspects of the use of OP are discussed further in section 5. 

In the specific example algorithm set, a particular block cipher is used. But the algorithms have been designed so that 
this component can be replaced by any operator who wishes to create his own customised algorithm set. In that sense 
this document defines an algorithm framework, and the example algorithm set is one that fits within the framework. 
This is how the algorithm set is defined in section 4: in section 4. 1 the framework is defined in terms of the block 
cipher, and then in section 4.2 a block cipher is selected to give a fully specified algorithm set. 
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Definition of the example algorithms 



4.1 Algorithm Framework 

A 128-bit value OPc is derived from OP and K as follows: 

op c = op e e[op] k 

An intermediate 128-bit value TEMP is computed as follows: 

TEMP = E[RAND © OP c ] K 

A 128-bit value INI is constructed as follows: 

IN1[0] .. INI [47] = SQN[0] .. SQN[47] 
IN1[48] .. IN1[63] = AMF[0] .. AMF[15] 
INI [64] .. INlflll] = SQN[0] .. SQN[47] 
IN1[112] ..IN1[127]=AMF[0] ..AMF[15] 

Five 128-bit constants cl, c2, c3, c4, c5 are defined as follows: 

cl[i] = for < i < 127 

c2[i] = for < i < 127, except that c2[127] = 

c3[i] = for < i < 127, except that c3[126] = 

c4[i] = for < i < 127, except that c4[125] = 

c5[i] = for < i < 127, except that c5[124] = 

Five integers rl, r2, r3, r4, r5 are defined as follows: 

rl = 64; r2 = 0; r3 = 32; r4 = 64; r5 = 96 

Five 128-bit blocks OUT1, OUT2, OUT3, OUT4, OUT5 are computed as follows: 

OUT1 = E[TEMP rot(INl © OP c , rl) © cl] K © OP c 
OUT2 = E[rot(TEMP0 OP c , r2) © c2] K © OP c 
OUT3 = E[rot(TEMP0 OP c , r3) © c3] K © OP c 
OUT4 = E[rot(TEMP8 OP c , r4) © c4] K © OP c 
OUT5 = E[rot(TEMP0 OP c , r5) © c5] K © OP c 

The outputs of the various functions are then defined as follows: 

Output of/7 = MAC-A, where MAC-A[0] .. MAC-A[63] = OUT1[0] .. OUTl[63] 
Output of/7* = MAC-S, where MAC-S[0] .. MAC-S[63] = OUTl[64] .. OUTl[127] 
Output of/2 = RES, where RES[0] .. RES[63] = OUT2[64] .. OUT2[127] 
Output of/? = CK, where CK[0] .. CK[127] = OUT3[0] .. OUT3[127] 
Output of/4 = IK, where IK[0] .. IK[127] = OUT4[0] .. OUT4[127] 
Output of/5 = AK, where AK[0] .. AK[47] = OUT2[0] .. OUT2[47] 
Output of/5* = AK, where AK[0] .. AK[47] = OUT5[0] .. OUT5[47] 

(The repeated reference to AK is not a mistake: AK is the name of the output of either /5 or/5*, and these two functions 
will not in practice be computed simultaneously.) 



4.2 Specific Example Algorithms 



The specific example algorithm set is defined by specifying the block cipher encryption function E[], which we do in 
this section. (It is left to each operator to specify the Operator Variant Algorithm Configuration Field OP.) 

The block cipher selected is Rijndael [6]. This is the algorithm proposed as the Advanced Encryption Standard [7]. 
More precisely, it is Rijndael with 128-bit key and 128-bit block size. 

E[x] k = the result of applying the Rijndael encryption algorithm 
to the 128-bit value x under the 128-bit key k. 
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Although the definitive specification of Rijndael is in [6], a complete specification of Rijndael with 128-bit key and 
128-bit block size is also given in Annex 2 of this document. 

The inputs to and output of Rijndael are defined as strings of bytes. The 128-bit string x = x[0] II x[l] II ... x[127] is 
treated as a string of bytes by taking x[0] II x[l] II ... x[7] as the first byte, x[8] II x[9] II ... x[15] as the second byte, and 
so on. The key and output string are converted in the same way. 

Note that the following patent statement has been made publicly (and included in [6]) by the authors of the Rijndael 
algorithm: "Rijndael or any of its implementations is not and will not be subject to patents." 



5 Implementation considerations 

5.1 OP c computed on or off the USIM? 

Recall that OP is an Operator Variant Algorithm Configuration Field. It is expected that each operator will define a 
value of OP which will then be used for all its subscribers. (It is up to operators to decide how to manage OP. The 
value of OP used for new batches of USIMs could be changed occasionally; or perhaps a different value could be given 
to each different USIM supplier. OP could even be given a different value for every subscriber if desired, but that is 
not really the intention.) 

It will be seen in section 4.1 that OPc is computed from OP and K, and that it is only OPc, not OP, that is ever used in 
subsequent computations. This gives two alternative options for implementation of the algorithms on the USIM: 

(a) OPc computed off the USIM: OPc is computed as part of the USIM prepersonalisation process, and OPc is 
stored on the USIM. OP itself is not stored on the USIM. 

(b) OP c computed on the USIM: OP is stored on the USIM (it may be considered as a hard-coded part of the 
algorithm if preferred). OPc is recomputed each time the algorithms are called. 

The SAGE Task Force recommends that OPc be computed off the USIM if possible, since this gives the following 
benefits: 

The complexity of the algorithms run on the USIM is reduced. 

It is more likely that OP can be kept secret. (If OP is stored on the USIM, it only takes one USIM to be reverse 
engineered for OP to be discovered and published. But it should be difficult for someone who has discovered 
even a large number of (OPc, K) pairs to deduce OP. That means that the OPc associated with any other value 
of K will be unknown, which may make it harder to mount some kinds of cryptanalytic and forgery attacks. The 
algorithms are designed to be secure whether or not OP is known to the attacker, but a secret OP is one more 
hurdle in the attacker's path.) 

5.2 Customising the choice of block cipher 

It was explained in section 3 that an operator may create a variant algorithm set by selecting a block cipher other than 
Rijndael. It is vitally important that whatever block cipher is chosen is one that has been extensively analysed and is 
still believed to be secure. The security of the authentication and key generation functions is crucially dependent on the 
strength of the block cipher. 

Strictly speaking, in fact, the kernel function does not have to be a block cipher; it just has to be a keyed function (with 
128-bit input, key and output) satisfying the following cryptographic requirement: 

Let the key be fixed. Without initial knowledge of the key, but with a large number of pairs of chosen input and 
resulting output, it must be infeasible to determine the key, and also infeasible to predict the output for any other 
chosen input with probability significantly greater than 2" 128 . 

See also section 5.4 about protecting against side channel attacks; this will need to be borne in mind when 
selecting/implementing a replacement kernel function. 



ETSI 



3GPPTS 35.206 version 5.1.0 Release 5 11 ETSI TS 135 206 V5.1.0 (2003-06) 

5.3 Further customisation 

If an operator wishes to customise the algorithms still further, a simple approach is to select different values for the 
constants cl-c5 and rl-r5. If this is done, the pairs (ci, ri) must all be different . It must not be the case that both ci = 
cj and ri = rj for i + j. For instance, it must not be the case that both c2 = c4 and r2 = r4. Additionally it is 
recommended that the following restrictions are applied: 

cl has even parity. (A 128-bit value has even parity if the number of '1 's in its binary representation is even.) 

c2-c5 all have odd parity. 

5.4 Resistance to side channel attacks 

When these algorithms are implemented on a USIM, consideration should be given to protecting them against side 
channel attacks such as differential power analysis (DPA). [8, 9, 10, 11, 12, 13] may be useful references. 
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Annex 1 : 

Figure of the Algorithms 
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Annex 2: 

Specification of the Block Cipher Algorithm Rijndael 



A2.1 Introduction 



This section provides a specification for the example kernel function. The block cipher used is Rijndael. The complete 
specification of Rijndael is given elsewhere [6], To quote from [6]: 

"Rijndael is an iterated block cipher with a variable block length and a variable key length. The block length and 
the key length can be independently specified to 128, 192 or 256 bits." 

For 3GPP purpose, Rijndael is used only in encryption mode and has the block and key length both set to 128 bits. For 
the rest of this section, when we refer to Rijndael we mean Rijndael with 128-bit block and key length. This document 
describes a simple byte oriented implementation of the encryption mode of Rijndael. Readers wishing more detail on 
the design of the cipher or implementation speed-ups are referred to the original document [6]. 



A2.2 The State and External Interfaces of Rijndael 

Rijndael is composed of a series of rounds that transform the input into the output. An intermediate result is called the 
State. The State can be pictured as a 4x4 rectangular array of bytes (128 bits in total). The Cipher Key is similarly 
pictured as a 4x4 rectangular array. These representations are illustrated in Figure 1 . 



ao,o 


ao,i 


ao,2 


ao,3 




k ,o 


ko,i 


k ,2 


k ,3 


ai,o 


ai,i 


ai,2 


ai, 3 


ki,o 


ki,i 


ki,2 


ki,s 


a2,o 


32,1 


a2,2 


a2,3 


k 2 ,o 


k 2 ,i 


k 2 ,2 


k 2 ,3 


a3,o 


a 3 ,i 


a3,2 


a3,3 


k 3 ,o 


ks,i 


k 3 ,2 


k 3 ,3 



Figure 1 : Example of State and Cipher Key layout 

Rijndael takes plaintext bytes Po, Pi, . . .,Pis and key bytes Ko, Ki, . . .K 15 as input and ciphertext bytes Co, Ci, . . ., C15 as 
output. The plaintext bytes are mapped onto the state bytes in the order ao,o, ai,o, 82,0, 83,0, ao,i, ai,i, 82,1, 83,1, ■ • • and the 
key bytes in the order ko i0 > kjo, k 2 ,o, k 30 , k ,i, k 1;1 , k 2 ,i, k 31 ,. . .. At the end of the cipher operation, the ciphertext is 
extracted from the State by taking the State bytes in the same order. 

Hence if the one-dimensional index of a byte within a block is n and the two dimensional index is (i, j), we have: 

i = n mod 4; j = |_n/4j ; n = i + 4 * j 
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A2.3 Internal Structure 

Rijndael consists of the following operations: 
an initial Round Key addition 
9 rounds, numbered 1-9, each consisting of 

a byte substitution transformation 

a shift row transformation 

a mix column transformation 

a Round Key addition 
A final round (round 10) consisting of 

a byte substitution transformation 

a shift row transformation 

a Round Key addition 

The component transformations and how the Round Keys are derived from the cipher keys are specified in the 
following subsections. 

A2.4 The Byte Substitution Transformation 

The byte substitution transformation is a non-linear byte substitution, operating on each of the State bytes 
independently. The substitution table (S-box) is given in section A2.9. 

Figure 2 illustrates the effect of the byte substitution transformation on the State. 
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Figure 2: Byte substitution acts on the individual bytes of the State 

So, for every element of State, we apply the transformation: 

by = S-box[ ay ] 

Where ay is the initial value of the element in State, 
and by is the output value of the element in State. 
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A2.5 The Shift Row Transformation 

In the shift row transformation, the rows of the State are cyclically left shifted by different amounts. Row is not 
shifted, row 1 is shifted by 1 byte, row 2 by 2 bytes and row 3 by 3 bytes. 

Figure 3 illustrates the effect of the shift row transformation on the State. 
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Figure 3: Shift Row operates on the rows of the State 



A2.6 The Mix Column Transformation 

The mix column transformation operates on each column of the State independently. For column j , we have 



b 2J 
b 3 . 



= T 2 (a 0J ) T 3 ( aiJ ) 8 a 2J © a 3J 
= a„ J ©T 2 (a 1 j)©T 3 (a 2J )©a 3>j 
= a 0J 6 ai j 6 T 2 (a 2J ) T 3 (a 3J ) 
= T 3 (a 0J ) 6 aiJ 8 a 2J 8 T 2 (a 3J ) 



where: 



T 2 (a) = 2*a if a < 128 

or T 2 (a) = (2*a) © 283 if a > 128 
and T 3 (a) = T 2 (a) © a. 



For example: 



If a = 63 then T 2 (63) = 126; T 3 (63) = T 2 (63) © 63 = 65 

If a = 143 then T 2 (143) = 5; T 3 (143) = T 2 (143) © 143 = 138. 

Figure 4 illustrates the effect of the mix column transformation on the State. 
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Figure 4: Mix Column operates on the columns of the State 



A2.7 The Round Key addition 



In this operation, a Round Key is applied to the State by a simple bitwise exclusive-or. The Round Key is derived from 
the Cipher Key by means of the key schedule. The Round Key length is equal to the block length. 

This transformation is illustrated in Figure 5. 
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Figure 5: In the key addition the Round Key is bitwise XORed to the State 

So, for every element of State, we have: 

by = ay © rky 

Where ay is the initial value of the element in State, 

by is the output value of the element in State, and 
rky is the round key byte. 



A2.8 Key schedule 



Rijndael has 1 1 Round Keys, numbered 0-10, that are each 4x4 rectangular arrays of bytes. The Round Keys are 
derived from the Cipher Key by means of the key schedule. The initial Round Key (thought of as the zeroth Round 
Key) is formed directly from the cipher key. This zero* Round Key is used unaltered for the initial key addition. The 
remaining Round Keys are used in the ten rounds. Each new round key is derived from the previous round key. Note: It 
is possible to run the key schedule round by round on an "as required" basis and so only use a total of 16 bytes to store 
the Round Key. 

Let rk r jj be the value of the r th Round Key at position (i, j ) in the array and ky be the cipher key loaded into a 4x4 
array. 

Intialisation: rko,y = ky for all i and j. 
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The other Round Keys (r=l to 10 inclusive) are calculated from the previous one as follows. First the th column is 
constructed: 

rk r ,o,o = r k r -i,o,o © S-box[rk r _ 1;1;3 ] © round_const[r] 
rk ra ,o = rk r _ Mi0 © S-box[rk r . 1A3 ] 
rk r ,2,o = rk r . 1A0 © S-box[rk r . 1)3)3 ] 
rk r ,3,o = rk r . 1)3 , © S-box[rk r . 1)0;3 ] 

where round_const[l] = 1 and round_const[r] = T 2 (round_const[r-l]), and S-box is the previously mentioned byte 
substitution. 

Then the remaining three columns are constructed in turn from the corresponding column of the previous Round Key 
and the previous column of the current Round Key: 

rk r ,ij = rk r _i, i%j © rk r , y _i for i=0,l,2,3 and j=l,2,3, 

Note: The ten round constants computed from the equations: 

round_const[1] = 1 

round_const[r] = T 2 (round_const[r-1]) r=2,3...,10 

are: 1, 2, 4, 8, 16, 32, 64, 128, 27, 54. 



A2.9 The Rijndael S-box 

Sbox[256] = { 

99,124,119,123,242,107,111,197, 48, 1,103, 43,254,215,171,118, 

202, 130, 201, 125, 250, 89, 71, 240, 173, 212, 162, 175, 156, 164, 114, 192, 

183,253,147, 38, 54, 63,247,204, 52,165,229,241,113,216, 49, 21, 

4,199, 35,195, 24,150, 5,154, 7, 18,128,226,235, 39,178,117, 

9,131, 44, 26, 27,110, 90,160, 82, 59,214,179, 41,227, 47,132, 

83,209, 0,237, 32,252,177, 91,106,203,190, 57, 74, 76, 88,207, 
208,239,170,251, 67, 77, 51,133, 69,249, 2,127, 80, 60,159,168, 

81,163, 64,143,146,157, 56,245,188,182,218, 33, 16,255,243,210, 
205, 12, 19,236, 95,151, 68, 23,196,167,126, 61,100, 93, 25,115, 

96,129, 79,220, 34, 42,144,136, 70,238,184, 20,222, 94, 11,219, 
224, 50, 58, 10, 73, 6, 36, 92,194,211,172, 98,145,149,228,121, 
231,200, 55,109,141,213, 78,169,108, 86,244,234,101,122,174, 8, 
186,120, 37, 46, 28,166,180,198,232,221,116, 31, 75,189,139,138, 
112, 62,181,102, 72, 3,246, 14, 97, 53, 87,185,134,193, 29,158, 
225,248,152, 17,105,217,142,148,155, 30,135,233,206, 85, 40,223, 
140,161,137, 13,191,230, 66,104, 65,153, 45, 15,176, 84,187, 22} 
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Annex 3: 

Simulation Program Listing - Byte Oriented 



Example algorithms fl, fl*, f2, f3, f4, f5, f5* 



A sample implementation of the example 3GPP authentication and 
key agreement functions fl, fl*, f2, f3, f4, f5 and f5*. This is 
a byte-oriented implementation of the functions, and of the block 
cipher kernel function Rijndael. 

This has been coded for clarity, not necessarily for efficiency. 

The functions f2, f3, f4 and f5 share the same inputs and have 
been coded together as a single function. fl, fl* and f5* are 
all coded separately. 



typedef unsigned char u8; 



/* Operator Variant Algorithm Configuration Field */ 

/* Insert your value of OP here */ 

u8 OP [16] = {0x63, Oxbf , 0xa5, OxOe, 0xe6, 0x52, 0x33, 0x65, 
Oxff, 0x14, Oxcl, 0xf4, 0x5f, 0x88, 0x73, 0x7d}; 
/* Insert your value of OP here */ 



/* prototypes */ 

void fl ( u8 k[16], u8 rand[16], u8 sqn[6], u8 amf[2], 

u8 mac_a [8] ) ; 
void f2345 ( u8 k[16], u8 rand[16], 

u8 res[8], u8 ck[16], u8 ik[16], u8 ak[6] ); 
void flstar( u8 k[16], u8 rand[16], u8 sqn[6], u8 amf[2], 

u8 mac_s [8] ) ; 
void f5star( u8 k[16], u8 rand[16], 

u8 ak[6] ) ; 
void ComputeOPc ( u8 op_c [16] ) ; 
void Ri jndaelKeySchedule ( u8 key [16] ); 
void Ri jndaelEncrypt ( u8 input [16] , u8 output [16] ) ; 



Algorithm fl 



* Computes network authentication code MAC-A from key K, random 

* challenge RAND, sequence number SQN and authentication management 

* field AMF. 

* v 

void fl ( u8 k[16], u8 rand[16], u8 sqn[6], u8 amf[2], 

u8 mac_a[8] ) 
{ 

u8 op_c [16] ; 

u8 temp [16] ; 

u8 inl[16]; 

u8 outl[16]; 

u8 ri jndaellnput [16] ; 

u8 i; 

Ri jndaelKeySchedule ( k ); 

ComputeOPc ( op_c ) ; 

for (i=0; i<16; i++) 

ri jndaellnput [i] = rand[i] A op_c[i]; 
Ri jndaelEncrypt ( ri jndaellnput, temp ); 
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for (i=0; i<6; i++) 
{ 

inl [i] = sqn [i] ; 

inl [i+8] = sqn[i] ; 
} 

for (i=0; i<2; i++) 
{ 

inl [i+6] = amf [i] ; 

inl [i+14] = amf [i] ; 



/* XOR op_c and inl, rotate by rl=64, and XOR * 
* on the constant cl (which is all zeroes) */ 

for (i=0; i<16; i++) 

ri jndaellnput [ (i+8) % 16] = inl[i] A op_c[i]; 

/* XOR on the value temp computed before */ 

for (i=0; i<16; i++) 

ri jndaellnput [i] A = temp[i]; 

Ri jndaelEncrypt ( ri jndaellnput, outl ); 
for (i=0; i<16; i++) 
outl[i] A = op_c[i]; 

for (i=0; i<8; i++) 
mac_a[i] = outl[i]; 

return; 

/* end of function fl */ 



Algorithms f2-f5 



* Takes key K and random challenge RAND, and returns response RES, 

* confidentiality key CK, integrity key IK and anonymity key AK. 

void f2345 ( u8 k[16], u8 rand[16], 

u8 res[8], u8 ck[16], u8 ik[16], u8 ak[6] ) 
{ 

u8 op_c [16] ; 

u8 temp [16] ; 

u8 out [16]; 

u8 ri jndaellnput [16] ; 

u8 i; 

Ri jndaelKeySchedule ( k ); 

ComputeOPc ( op_c ) ; 

for (i=0; i<16; i++) 

ri jndaellnput [i] = rand[i] A op_c[i]; 
Ri jndaelEncrypt ( ri jndaellnput, temp ); 

/* To obtain output block OUT2: XOR OPc and TEMP, * 

* rotate by r2=0, and XOR on the constant c2 (which * 

* is all zeroes except that the last bit is 1) . */ 

for (i=0; i<16; i++) 

ri jndaellnput [i] = temp[i] A op_c[i]; 
ri jndaellnput [15] ~= 1; 



Ri jndaelEncrypt ( ri jndaellnput , out ); 
for (i=0; i<16; i++) 



out [i] 



op_c [ i ; 



for (i=0; i<8; i++) 
res [i] = out [i+8] , 

for (i=0; i<6; i++) 
ak [i] = out [i] ; 



/* To obtain output block OUT3: XOR OPc an 



id TEMP, 
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* rotate by r3=32, and XOR on the constant c3 (which * 

* is all zeroes except that the next to last bit is 1) . */ 

for (i=0; i<16; i++) 

ri jndaellnput [ (i+12) % 16] = temp[i] A op_c[i]; 
ri jndaellnput [15] ~ = 2; 

Ri jndaelEncrypt ( ri jndaellnput , out ) ; 
for (i=0; i<16; i++) 
out[i] *= op_c[i]; 

for (i=0; i<16; i++) 
ok [i] = out [i] ; 

/* To obtain output block OUT4: XOR OPc and TEMP, * 

* rotate by r4=64, and XOR on the constant c4 (which * 

* is all zeroes except that the 2nd from last bit is 1) . */ 

for (i=0; i<16; i++) 

ri jndaellnput [ (i+8) % 16] = temp[i] A op_c[i]; 
ri jndaellnput [15] *= 4; 

Ri jndaelEncrypt ( ri jndaellnput , out ) ; 
for (i=0; i<16; i++) 
out[i] A = op_c[i]; 

for (i=0; i<16; i++) 
ik[i] = out [i] ; 

return; 
} /* end of function f2345 */ 



Algorithm fl* 



Computes resynch authentication code MAC-S from key K, random 
challenge RAND, sequence number SQN and authentication management 
field AMF. 



void flstar( u8 k[16], u8 rand[16], u8 sqn[6], u8 amf[2], 

u8 mac_s [8] ) 
{ 

u8 op_c [16] ; 

u8 temp [16] ; 

u8 inl[16]; 

u8 outl[16]; 

u8 ri jndaellnput [ 16] ; 

u8 i; 

Ri jndaelKeySchedule ( k ); 

ComputeOPc ( op_c ) ; 

for (i=0; i<16; i++) 

ri jndaellnput [i] = rand[i] A op_c[i]; 
Ri jndaelEncrypt ( ri jndaellnput, temp ); 

for (i=0; i<6; i++) 
{ 

inl [i] = sqn [i] ; 

inl [i+8] = sqn[i] ; 
} 

for (i=0; i<2; i++) 
{ 

inl [i+6] = amf [i] ; 

inl [i+14] = amf [i] ; 



/* XOR op„c and inl, rotate by rl=64, and XOR * 
* on the constant cl (which is all zeroes) */ 

for (i=0; i<16; i++) 

ri jndaellnput [ (i+8) % 16] = inl[i] A op_c[i]; 
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/* XOR on the value temp computed before */ 

for (i=0; i<16; i++) 

ri jndaellnput [i] A = temp[i]; 

Ri jndaelEncrypt ( ri jndaellnput, outl ); 
for (i=0; i<16; i++) 
outl[i] ~ = op_c[i]; 

for (i=0; i<8; i++) 
mac_s[i] = outl[i+8]; 

return; 
} /* end of function flstar */ 



Algorithm £5* 



Takes key K and random challenge RAND, and returns resynch 
anonymity key AK. 



void f5star( u8 k[16], u8 rand[16], 

u8 ak[6] ) 
{ 

u8 op_c [16] ; 

u8 temp [16] ; 

u8 out [16]; 

u8 ri jndaellnput [16] ; 

u8 i; 

Ri jndaelKeySchedule ( k ); 

ComputeOPc ( op_c ) ; 

for (i=0; i<16; i++) 

ri jndaellnput [i] = rand[i] A op_c[i]; 
Ri jndaelEncrypt ( ri jndaellnput, temp ); 

/* To obtain output block OUT5: XOR OPc and TEMP, * 

* rotate by r5=96, and XOR on the constant c5 (which * 

* is all zeroes except that the 3rd from last bit is 1) . */ 

for (i=0; i<16; i++) 

ri jndaellnput [ (i+4) % 16] = temp[i] A op_c[i]; 
ri jndaellnput [15] ~ = 8; 

Ri jndaelEncrypt ( ri jndaellnput, out ); 
for (i=0; i<16; i++) 
out[i] *= op_c[i]; 

for (i=0; i<6; i++) 
ak [i] = out [i] ; 

return; 
} /* end of function f5star */ 



Function to compute OPc from OP and K. Assumes key schedule has 
already been performed. 



void ComputeOPc ( u8 op_c[16] ) 



Ri jndaelEncrypt ( OP, op_c ) ; 
for (i=0; i<16; i++) 
op_c [i] A = OP [i] ; 

return; 
} /* end of function ComputeOPc */ 
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/* 

u8 roundKeys [11] [4] [4] ; 



Rijndael round subkeys 



/* — 

u8 S[ 

99,1 

202, 1 

183,2 

4, 1 

9, 1 

83,2 
208,2 

81,1 
205, 

96,1 
224, 
231,2 
186,1 
112, 
225,2 
140, 1 

}; 



Rijndael S box table 



256] = 
24, 119, 
30,201, 
53, 147, 
99, 35, 
31, 44, 
09, 0, 
39, 170, 
63, 64, 



12, 
29, 

50, 



19, 
79, 
58, 



00, 55. 
20, 37. 
62, 181. 
48, 152. 
61, 137, 



{ 

123, 

125, 

38, 
195, 

26, 
237, 
251, 
143, 
236, 
220, 

10, 
109, 

46, 
102, 

17, 

13, 



242, 107, 

250, 89, 

54, 63, 

24. 150, 
27, 110, 
32,252, 
67, 77, 

146, 157, 

95. 151, 
34, 42, 
73, 6, 

141,213, 

28, 166, 

72, 3, 

105,217, 

191,230, 



111, 
71, 

247, 

5, 

90, 

177, 

51, 

56, 

68, 

144, 

36, 

78, 

180, 

246, 

142, 

66, 



197, 
240, 
204, 
154, 
160, 

91, 
133, 
245, 

23, 
136, 

92, 
169, 
198, 

14, 
148, 
104, 



48, 
173, 

52, 
7, 

82, 
106, 

69, 
188, 
196, 

70, 
194, 
108, 
232, 

97, 
155, 

65, 



1, 

212, 

165, 

18, 

59, 

203, 

249, 

182, 

167, 

238, 

211, 

86, 

221, 

53, 

30, 

153, 



103, 
162, 
229, 
128, 
214, 
190, 
2, 
218, 
126, 
184, 
172, 
244, 
116, 

87, 
135, 

45, 



43, 

175, 

241, 

226, 

179, 

57, 

127, 

33, 

61, 

20, 

98, 

234, 

31, 

185, 

233, 

15, 



254, 

156, 

113, 

235, 

41, 

74, 

80, 

16, 

100, 

222, 

145, 

101, 

75, 

134, 

206, 

176, 



215, 

164, 

216, 

39, 

227, 

76, 

60, 

255, 

93, 

94, 

149, 

122, 

189, 

193, 

85, 

84, 



171, 118, 

114, 192, 

49, 21, 

178, 117, 

47, 132, 

88,207, 

159, 168, 

243,210, 

25, 115, 

11,219, 

228, 121, 

174, 8, 

139, 138, 

29, 158, 

40,223, 

187, 22, 



/* — 

u8 Xt 
0, 

32, 

64, 

96, 
128, 1 
160, 1 
192, 1 
224,2 

27, 

59, 

91, 
123, 1 
155, 1 
187, 1 
219,2 
251,2 



ime [ 

2, 
34, 
66, 
98, 1 
30,1 
62, 1 
94, 1 
26,2 
25, 
57, 
89, 
21, 1 
53, 1 
85, 1 
17,2 
49,2 



Thi 
256] 

4, 
36, 
68, 
00, 1 
32, 1 
64, 1 
96, 1 
28,2 
31, 
63, 
95, 
27, 1 
59, 1 
91,1 
23,2 
55,2 



s array 

= { 

6, 8, 
38, 40, 
70, 72, 
02, 104, 
34, 136, 
66, 168, 
98,200, 
30,232, 
29, 19, 
61, 51, 
93, 83, 
25, 115, 
57, 147, 
89, 179, 
21,211, 
53,243, 



does the multiplication by x in GF(2~8) 



10, 
42, 

74, 
106, 1 
138,1 
170, 1 
202,2 
234,2 

17, 

49, 

81, 
113, 1 
145, 1 
177, 1 
209,2 
241,2 



14 

46 

78 

110 

142 

174 

206 

238 

21 

53 

85 

117 

149 

181 

213 

245 



16, 

48, 

80, 

112, 

144, 

176, 

208, 

240, 

11, 

43, 

75, 

107, 

139, 

171, 

203, 

235, 



18, 
50, 

82, 

114, 

146, 

178, 

210, 

242, 

9, 

41, 

73, 

105, 

137, 

169, 

201, 

233, 



20, 22, 

52, 54, 

84, 86, 

116, 118, 

148, 150, 

180, 182, 

212,214, 

244,246, 

15, 13, 

47, 45, 

79, 77, 

111, 109, 

143, 141, 

175, 173, 

207,205, 

239,237, 



24, 
56, 

88, 

120, 

152, 

184, 

216, 

248, 

3, 

35, 

67, 

99, 

131, 

163, 

195, 

227, 



26, 

58, 

90, 

122, 

154, 

186, 

218, 

250, 

1, 

33, 

65, 

97, 

129, 

161, 

193, 

225, 



28, 30, 

60, 62, 

92, 94, 

124, 126, 

156, 158, 

188, 190, 

220,222, 

252,254, 

7, 5, 

39, 37, 

71, 69, 

103, 101, 

135, 133, 

167, 165, 

199, 197, 

231,229 



Rijndael key schedule function. Takes 16-byte key and creates 
all Rijndael 's internal subkeys ready for encryption. 



void Ri jndaelKeySchedule { u8 key [16] ) 
{ 

u8 roundConst; 

int i, j; 

/* first round key equals key */ 
for (i=0; i<16; i++) 

roundKeys [0] [i & 0x03] [i»2] = key[i], 

roundConst = 1; 



/* now calculate round keys */ 

for (i=l; i<ll; i++) 

{ 

roundKeys [i] [0] [0] = S [roundKeys [i-1] [1] [3] 

A roundKeys [i-1] [0] [0] 

roundKeys [i] [1] [0] = S [roundKeys [i-1] [2] [3] 

" roundKeys [i-1] [1] [0] 

roundKeys [i] [2] [0] = S [roundKeys [i-1 ] [3 ] [3 ] 

A roundKeys [i-1] [2] [0] 

roundKeys [i] [3] [0] = S [roundKeys [i-1] [0] [3] 

" roundKeys [i-1] [3] [0] 



roundConst; 



for (j=0; j<4; j++) 

{ 

roundKeys [i] [j] [1] = roundKeys [i-1] 
roundKeys [i] [ j ] [2] = roundKeys [i-1] 
roundKeys [i] [ j ] [3] = roundKeys [i-1] 



j] [1 


j] [2 


j] [3 



roundKeys [i] [j] [0\ 
roundKeys [i] [j] [1[ 
roundKeys [i] [j] [2~ 
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/* update round constant */ 
roundConst = Xtime [roundConst ] ; 



return; 
} /* end of function Ri jndaelKeySchedule */ 



/* Round key addition function */ 

void KeyAdd(u8 state[4][4], u8 roundKeys [11] [4] [4] , int round) 

{ 

int i, j; 

for (i=0; i<4; i++) 
for (j=0; j<4; j++) 

state [i] [j] A = roundKeys [round] [i] [j]; 

return; 



/* Byte substitution transformation */ 

int ByteSub(u8 state [4] [4]) 

{ 

int i, j; 

for (i=0; i<4; i++) 
for (j=0; j<4; j++) 

State [i] [j] = S[state[i] [j] ]; 

return 0; 



/* Row shift transformation */ 
void ShiftRow(u8 state[4][4]) 
{ 

u8 temp; 



/* left rotate row 1 by 1 
temp = state [1] [0] ; 
state [1] [0] = state[l] [1] 
state [1] [1] = state[l] [2] 
state [1] [2] = state [1] [3] 
state [1] [3] = temp; 



/* left rotate row 2 by 2 - 
temp = state [2] [0] ; 
state[2][0] = state[2][2]; 
state [2] [2] = temp; 
temp = state [2] [1]; 
state[2][l] = state[2][3]; 
state [2] [3] = temp; 



/* left rotate row 3 by 3 
temp = state [3] [0] ; 
state[3][0] = state[3][3] 
state [3] [3] = state[3][2] 
state[3][2] = state[3][l] 
state [3] [1] = temp; 



return; 



/* MixColumn transformation*/ 
void MixColumn (u8 state [4] [4]) 



u8 temp, tmp, tmpO; 
int i; 



/* do one column at a time */ 

for (i=0; i<4;i++) 

{ 

temp = state[0][i] A state[l][i] 

tmpO = state [0] [i] ; 



state[2] [i] 



state[3] [i] 
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/* Xtime array does multiply by x in GF2 A 8 */ 
tmp = Xtime [state [0] [i] A state [1] [i] ] ; 
state [0] [i] A = temp A tmp; 

tmp = Xtime [state [1] [i] A state [2] [i] ] ; 
state [1] [i] A = temp A tmp; 

tmp = Xtime [state [2] [i] A state [3] [i] ] ; 
state [2] [i] A = temp A tmp; 

tmp = Xtime [state [3] [i] A tmpO]; 
state [3] [i] A = temp A tmp; 



return; 
} 



/* 

* Rijndael encryption function. Takes 16-byte input and creates 

* 16-byte output (using round keys already derived from 16-byte 

* key) . 

* */ 

void RijndaelEncrypt ( u8 input [16], u8 output [16] ) 
{ 

u8 state[4] [4] ; 

int i, r; 

/* initialise state array from input byte string */ 
for (i=0; i<16; i++) 

state [i & 0x3] [i»2] = input [i]; 

/* add first round_key */ 
KeyAdd (state, roundKeys, 0); 

/* do lots of full rounds */ 

for (r=l; r<=9; r++) 

{ 

ByteSub (state) ; 

ShiftRow (state) ; 

MixColumn (state) ; 

KeyAdd (state, roundKeys, r) ; 



/* final round */ 

ByteSub (state) ; 

ShiftRow (state) ; 

KeyAdd (state, roundKeys, r) ; 

/* produce output byte string from state array */ 

for (i=0; i<16; i++) 

{ 

output [i] = state [i & 0x3] [i»2]; 



return; 
} /* end of function RijndaelEncrypt */ 
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Annex 4: 

Rijndael Listing - 32-Bit Word Oriented 



Rijndael Implementation 



* A sample 32-bit orientated implementation of Rijndael, the 

* suggested kernel for the example 3GPP authentication and key 

* agreement functions. 

* This implementation draws on the description in section 5.2 of 

* the AES proposal and also on the implementation by 

* Dr B. R. Gladman <brg@gladman . uk . net> 9th October 2000. 

* It uses a number of large (4k) lookup tables to implement the 

* algorithm in an efficient manner. 

* Note: in this implementation the State is stored in four 32-bit 

* words, one per column of the State, with the top byte of the 

* column being the _least_ significant byte of the word. 

* */ 

#define LITTLE_ENDIAN /* For INTEL architecture */ 



typedef unsigned char u8; 
typedef unsigned int u32; 

/* Circular byte rotates of 32 bit values */ 

#define rotl (x) ( (x << 8) I (x >> 24)) 
#define rot2 (x) ( (x << 16) I (x » 16)) 
#define rot3 (x) ( (x << 24) | (x » 8)) 

/* Extract a byte from a 32-bit u32 */ 

#define byteO (x) ((u8)(x)) 

#define bytel (x) ((u8)(x >> 8)) 

#define byte2 (x) ((u8) (x >> 16)) 

#define byte3 (x) ((u8) (x >> 24)) 



/* Put or get a 32 bit u32 (v) in machine order from a byte * 
* address in (x) */ 

#ifdef LITTLE_ENDIAN 

#define u32_in(x) (*(u32*)(x)) 
#define u32_out(x,y) (*(u32*)(x) = y) 

#else 

/* Invert byte order in a 32 bit variable */ 

inline u32 byte_swap (const u32 x) 

return rotl(x) & OxOOffOOff | rot3 (x) & OxffOOffOO; 

inline u32 u32_in(const u8 x[]) 

return byte_swap ( * (u32* ) x) ; 

inline void u32_out (u8 x[], const u32 v) 

*(u32*)x = byte_swap (v) ; 

#endif 

/* The lookup tables 

static u32 rnd_con[10] = 
{ 
0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80, OxlB, 0x36 
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}; 



static u32 ft_tab[4] [256] 



{ 

0xA56363C6 

0x50303060 

0x45CACA8F 

0xECADAD41 

0xC2B7B775 

0x5C343468 

0x0C040408 

0x0907070E 

0xlB090912 

0xF65252A4 

0xF55353A6 

0xBE6A6AD4 

0x6BD0D0BB 

0xCF45458A 

0xF35151A2 

0xDFBCBC63 

0x4CCDCD81 

0x57C4C493 

0xA06060C0 

0xCA46468C 

0x3BE0E0DB 

0x5DC2C29F 

0x32E7E7D5 

0xB46C6CD8 

0xD5BABA6F 

0x23E8E8CB 

0x907070E0 

0xA36161C2 

0x38E1E1D9 

0xB69B9B2D 

0x8F8C8C03 

0xC3414182 



0x847C7CF8 
0x03010102 
0x9D82821F 
0x67D4D4B3 
OxlCFDFDEl 
0xF4A5A551 
0x52C7C795 
0x36121224 
0x9E83831D 
0x4D3B3B76 
0x68D1D1B9 
0x46CBCB8D 
0x2AEFEFC5 
0xl0F9F9E9 
0xFEA3A35D 
0xClB6B677 
0xl40C0C18 
0xF2A7A755 
0x98818119 
0x29EEEEC7 
0x56323264 
0x6ED3D3BD 
0x43C8C88B 
0xFA5 65 6AC 
0x887878F0 
0x7CDDDDAl 
0x423E3E7C 
0x5F35356A 
0xl3F8F8EB 
0x221ElE3C 
0xF8AlA159 
0xB0999929 



0x997777EE 
0xA96767CE 
0x40C9C989 
0xFDA2A25F 
0xAE93933D 
0x34E5E5Dl 
0x65232346 
0x9B80801B 
0x742C2C58 
0x61D6D6B7 
0000000000 
0xD9BEBE67 
0xE5AAAA4F 
0x06020204 
0xC0404080 
0x7 5DADAAF 
0x35131326 
0x827E7EFC 
0xD14F4F9E 
0xD3B8B86B 
0x4E3A3A74 
0xEFACAC4 3 
0x5937376E 
0x07F4F4F3 
0x6F25254A 
0x9C7474E8 
0xC4B5B571 
0xF95757AE 
0xB398982B 
0x92878715 
0x80898909 
0x772D2D5A 



0x8D7B7BF6 
0x7D2B2B56 
0x877D7DFA 
0xEAAFAF4 5 
0x6A26264C 
0x08F1F1F9 
0x5EC3C39D 
0x3DE2E2DF 
0x2E1A1A34 
0xCEB3B37D 
0x2CEDEDCl 
0x4B393972 
0xl6FBFBED 
0x817F7FFE 
0x8A8F8F05 
0x63212142 
0x2FECECC3 
0x473D3D7A 
0x7FDCDCA3 
0x3C141428 
0xlE0A0A14 
0xA66262C4 
0xB76D6DDA 
0x25EAEACF 
0x722E2E5C 
0x211FlF3E 
0xAA6666CC 
0xD0B9B969 
0x33111122 
0x20E9E9C9 
0xl70D0DlA 
OxllOFOFlE 



0x0DF2F2FF 
0xl9FEFEE7 
0xl5FAFAEF 
0xBF9C9C23 
0x5A36366C 
0x937171E2 
0x28181830 
0x26EBEBCD 
0x2D1B1B36 
0x7B292952 
0x60202040 
0xDE4A4A94 
0xC5434386 
0xF05050A0 
0xAD92923F 
0x30101020 
0xE15F5FBE 
0xAC6464C8 
0x66222244 
0x79DEDEA7 
0xDB494992 
0xA8919139 
0x8C8D8D01 
0xAF6565CA 
0x241ClC38 
0xDD4B4B96 
0xD8484890 
0x91868617 
0xBB6969D2 
0x49CECE87 
0xDABFBF65 
0xCBB0B07B 



0xBD6B6BD6 
0x62D7D7B5 
0xEB5959B2 
0xF7A4A453 
0x413F3F7E 
0x73D8D8AB 
0xA1969637 
0x6927274E 
0xB26E6EDC 
0x3EE3E3DD 
0xlFFCFCE3 
0xD44C4C98 
0xD74D4D9A 
0x443C3C78 
0xBC9D9D21 
0xlAFFFFE5 
0xA2979735 
0xE75D5DBA 
0x7E2A2A54 
0xE25E5EBC 
0x0A06060C 
0xA4959531 
0x64D5D5Bl 
0x8E7A7AF4 
0xFlA6A657 
0xDCBDBD61 
0x05030306 
0x58ClC199 
0x70D9D9A9 
0xFF5555AA 
0x31E6E6D7 
0xFC5454A8 



0xB16F6FDE 
0xE6ABAB4D 
0xC947478E 
0x967272E4 
0x02F7F7F5 
0x53313162 
0x0F05050A 
0xCDB2B27F 
0xEE5A5AB4 
0x712F2F5E 
0xC8BlB179 
0xE85858B0 
0x55333366 
0xBA9F9F25 
0x48383870 
0x0EF3F3FD 
0xCC444488 
0x2B191932 
0xAB90903B 
0xlD0B0B16 
0x6C242448 
0x37E4E4D3 
0xD24E4E9C 
0xE9AEAE47 
0xC7B4B473 
0x868B8B0D 
0x01F6F6F7 
0x271DlD3A 
0x898E8E07 
0x78282850 
0xC6424284 
0xD6BBBB6D 



0x54C5C591, 
0x9A7676EC, 
OxOBFOFOFB, 
0x5BC0C09B, 
0x4FCCCC83, 
0x3F15152A, 
0xB59A9A2F, 
0x9F7575EA, 
0xFBA0A05B, 
0x97848413, 
0xED5B5BB6, 
0x4ACFCF85, 
0x94858511, 
0xE3A8A84B, 
0x04F5F5Fl, 
Ox6DD2D2BF, 
0x3917172E, 
0x957373E6, 
0x8388880B, 
0x76DBDBAD, 
0xE45C5CB8, 
0x8B7979F2, 
0xE0A9A949, 
0x18080810, 
0x51C6C697, 
0x858A8A0F, 
0xl20E0ElC, 
0xB99E9E27, 
0xA7949433, 
Ox7ADFDFA5, 
0xB86868D0, 
0x3A16162C 



{ 

0x6363C6A5 

0x30306050 

0xCACA8F45 

0xADAD41EC 

0xB7B775C2 

0x3434685C 

0x0404080C 

Ox07070E09 

0x0909121B 

0x5252A4F6 

0x5353A6F5 

0x6A6AD4BE 

0xD0D0BB6B 

0x45458ACF 

0x5151A2F3 

0xBCBC63DF 

0xCDCD814C 

OxC4C49357 

0x6060C0A0 

0x46468CCA 

0xE0E0DB3B 

0xC2C29F5D 

0xE7E7D532 

0x6C6CD8B4 

0xBABA6FD5 

0xE8E8CB23 

0x7070E090 

0x6161C2A3 

0xE1E1D938 

0x9B9B2DB6 

0x8C8C038F 

0x414182C3 



0x7C7CF884 
0x01010203 
0x82821F9D 
0xD4D4B367 
OxFDFDEllC 
0xA5A551F4 
0xC7C79552 
0x12122436 
0x83831D9E 
0x3B3B764D 
0xD1D1B968 
0xCBCB8D46 
0xEFEFC52A 
0xF9F9E910 
0xA3A35DFE 
0xB6B677Cl 
0x0C0C1814 
OxA7A755F2 
0x81811998 
0xEEEEC729 
0x32326456 
0xD3D3BD6E 
0xC8C88B43 
0x5656ACFA 
0x7878F088 
0xDDDDA17C 
0x3E3E7C42 
0x35356A5F 
0xF8F8EB13 
0xlElE3C22 
0xAlA159F8 
0x999929B0 



0x7777EE99 
0x6767CEA9 
0xC9C98940 
OxA2A25FFD 
0x93933DAE 
0xE5E5D134 
0x23234665 
0x80801B9B 
0x2C2C5874 
0xD6D6B761 
0000000000 
0xBEBE67D9 
0xAAAA4FE5 
0x02020406 
0x404080C0 
0xDADAAF7 5 
0x13132635 
0x7E7EFC82 
0x4F4F9EDl 
0xB8B86BD3 
0x3A3A744E 
0xACAC43EF 
0x37376E59 
0xF4F4F307 
0x25254A6F 
0x7474E89C 
0xB5B571C4 
Ox5757AEF9 
0x98982BB3 
0x87871592 
0x89890980 
0x2D2D5A77 



0x7B7BF68D 
0x2B2B567D 
0x7D7DFA87 
OxAFAF45EA 
0x26264C6A 
0xF1F1F908 
0xC3C39D5E 
0xE2E2DF3D 
0xlAlA342E 
0xB3B37DCE 
0xEDEDC12C 
0x3939724B 
0xFBFBED16 
0x7F7FFE81 
0x8F8F058A 
0x21214263 
0xECECC32F 
0x3D3D7A47 
0xDCDCA37F 
0xl414283C 
OxOAOA141E 
0x6262C4A6 
0x6D6DDAB7 
0xEAEACF25 
0x2E2E5C72 
0xlFlF3E21 
0x6666CCAA 
0xB9B969D0 
0x11112233 
0xE9E9C920 
0x0D0DlA17 
OxOFOFlEll 



OxF2F2FFOD 
0xFEFEE719 
0xFAFAEF15 
0x9C9C23BF 
0x36366C5A 
0x7171E293 
0x18183028 
0xEBEBCD2 6 
0xlBlB362D 
0x2929527B 
0x20204060 
Ox4A4A94DE 
0x434386C5 
0x5050A0F0 
0x92923FAD 
0x10102030 
Ox5F5FBEEl 
0x6464C8AC 
0x22224466 
0xDEDEA779 
0x494992DB 
0x919139A8 
0x8D8D018C 
0x6565CAAF 
0xlClC3824 
0x4B4B96DD 
0x484890D8 
0x86861791 
0x6969D2BB 
0xCECE8749 
0xBFBF65DA 
0xB0B07BCB 



0x6B6BD6BD 
0xD7D7B562 
Ox5959B2EB 
OxA4A453F7 
0x3F3F7E41 
0xD8D8AB73 
0x969637Al 
0x27274E69 
0x6E6EDCB2 
0xE3E3DD3E 
0xFCFCE31F 
0x4C4C98D4 
0x4D4D9AD7 
0x3C3C7844 
0x9D9D21BC 
OxFFFFE51A 
0x979735A2 
Ox5D5DBAE7 
Ox2A2A547E 
Ox5E5EBCE2 
0x06060C0A 
0x959531A4 
0xD5D5B164 
0x7A7AF48E 
0xA6A657Fl 
0xBDBD61DC 
0x03030605 
0xClC19958 
0xD9D9A970 
0x5555AAFF 
0xE6E6D731 
0x5454A8FC 



0x6F6FDEBl 
0xABAB4DE6 
0x47478EC9 
0x7272E496 
0xF7F7F502 
0x31316253 
0x05050A0F 
0xB2B27FCD 
Ox5A5AB4EE 
0x2F2F5E71 
0xBlB179C8 
0x5858B0E8 
0x33336655 
0x9F9F25BA 
0x38387048 
0xF3F3FD0E 
0x444488CC 
0xl919322B 
0x90903BAB 
0x0B0B161D 
0x2424486C 
0xE4E4D337 
0x4E4E9CD2 
0xAEAE47E9 
0xB4B473C7 
0x8B8B0D86 
0xF6F6F701 
0xlDlD3A27 
0x8E8E0789 
0x28285078 
0x424284C6 
0xBBBB6DD6 



OxC5C59154, 
0x7676EC9A, 
OxFOFOFBOB, 
0xC0C09B5B, 
0xCCCC834F, 
0xl5152A3F, 
0x9A9A2FB5, 
Ox7575EA9F, 
0xA0A05BFB, 
0x84841397, 
0x5B5BB6ED, 
0xCFCF854A, 
0x85851194, 
0xA8A84BE3, 
OxF5F5F104, 
0xD2D2BF6D, 
0xl7172E39, 
0x7373E695, 
0x88880B83, 
0xDBDBAD76, 
0x5C5CB8E4, 
0x7979F28B, 
0xA9A949E0, 
0x08081018, 
0xC6C69751, 
0x8A8A0F85, 
0x0E0ElC12, 
0x9E9E27B9, 
0x949433A7, 
0xDFDFA57A, 
0x6868D0B8, 
0xl6162C3A 



{ 

0x63C6A563, 0x7CF8847C, 0x77EE9977, 0x7BF68D7B, 0xF2FF0DF2, 0x6BD6BD6B, 0x6FDEB16F, 0xC59154C5, 
0x30605030, 0x01020301, 0x67CEA967, 0x2B567D2B, 0xFEE719FE, 0xD7B562D7, 0xAB4DE6AB, 0x76EC9A76, 
0xCA8F45CA, 0x821F9D82, 0xC98940C9, 0x7DFA877D, OxFAEF15FA, 0x59B2EB59, 0x478EC947, OxFOFBOBFO, 
0xAD41ECAD, 0xD4B367D4, 0xA25FFDA2, 0xAF45EAAF, 0x9C23BF9C, 0xA453F7A4, 0x72E49672, 0xC09B5BC0, 
OxB775C2B7, OxFDEllCFD, 0x933DAE93, 0x264C6A26, 0x366C5A36, 0x3F7E413F, 0xF7F502F7, 0xCC834FCC, 
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0x34685C34, 
0x04080C04, 
0x070E0907, 
0x09121B09, 
0x52A4F652, 
0x53A6F553, 
0x6AD4BE6A, 
0xD0BB6BD0, 
0x458ACF45, 
0x51A2F351, 
0xBC63DFBC, 
0xCD814CCD, 
0xC49357C4, 
0x60C0A060, 
0x468CCA46, 
0xE0DB3BE0, 
0xC29F5DC2, 
0xE7D532E7, 
0x6CD8B46C, 
0xBA6FD5BA, 
0xE8CB23E8, 
0x70E09070, 
0x61C2A361, 
0xElD938El, 
0x9B2DB69B, 
0x8C038F8C, 
0x4182C341, 



0xA551F4A5, 
0xC79552C7, 
0x12243612, 
0x831D9E83, 
0x3B764D3B, 
0xDlB968Dl, 
0xCB8D46CB, 
0xEFC52AEF, 
0xF9E910F9, 
0xA35DFEA3, 
0xB677ClB6, 
0x0C18140C, 
0xA755F2A7, 
0x81199881, 
0xEEC729EE, 
0x32645632, 
0xD3BD6ED3, 
0xC88B43C8, 
0x56ACFA56, 
0x78F08878, 
0xDDA17CDD, 
0x3E7C423E, 
0x356A5F35, 
0xF8EB13F8, 
0xlE3C221E, 
0xA159F8Al, 
0x9929B099, 



0xE5D134E5 
0x23466523 
0x801B9B80 
0x2C58742C 
0xD6B761D6 
0000000000 
0xBE67D9BE 
0xAA4FE5AA 
0x02040602 
0x4080C040 
0xDAAF75DA 
0x13263513 
0x7EFC827E 
0x4F9ED14F 
0xB86BD3B8 
0x3A744E3A 
0xAC43EFAC 
0x376E5937 
0xF4F307F4 
0x254A6F25 
0x74E89C74 
0xB571C4B5 
0x57AEF957 
0x982BB398 
0x87159287 
0x89098089 
0x2D5A772D 



0xFlF908Fl 
0xC39D5EC3 
0xE2DF3DE2 
0xlA342ElA 
0xB37DCEB3 
0xEDC12CED 
0x39724B39 
0xFBED16FB 
0x7FFE817F 
0x8F058A8F 
0x21426321 
0xECC32FEC 
0x3D7A473D 
0xDCA37FDC 
0xl4283C14 
0x0A141E0A 
0x62C4A662 
0x6DDAB76D 
0xEACF25EA 
0x2E5C722E 
0xlF3E211F 
0x66CCAA66 
0xB969D0B9 
0x11223311 
0xE9C920E9 
0x0DlA170D 
OxOFlEllOF 



0x71E29371, 
0x18302818, 
0xEBCD26EB, 
0xlB362DlB, 
0x29527B29, 
0x20406020, 
0x4A94DE4A, 
0x4386C543, 
Ox50AOF050, 
0x923FAD92, 
0x10203010, 
0x5FBEE15F, 
0x64C8AC64, 
0x22446622, 
0xDEA779DE, 
0x4992DB49, 
0x9139A891, 
0x8D018C8D, 
0x65CAAF65, 
0xlC38241C, 
0x4B96DD4B, 
0x4890D848, 
0x86179186, 
0x69D2BB69, 
0xCE8749CE, 
0xBF65DABF, 
0xB07BCBB0, 



0xD8AB73D8, 
0x9637A196, 
0x274E6927, 
0x6EDCB26E, 
0xE3DD3EE3, 
0xFCE31FFC, 
0x4C98D44C, 
0x4D9AD74D, 
0x3C78443C, 
0x9D21BC9D, 
OxFFE51AFF, 
0x9735A297, 
0x5DBAE75D, 
Ox2A547E2A, 
0x5EBCE25E, 
0x060C0A06, 
0x9531A495, 
0xD5B164D5, 
0x7AF48E7A, 
0xA657FlA6, 
0xBD61DCBD, 
0x03060503, 
0xC19958Cl, 
0xD9A970D9, 
0x55AAFF55, 
0xE6D731E6, 
0x54A8FC54, 



0x31625331 
0x050A0F05 
0xB27FCDB2 
0x5AB4EE5A 
0x2F5E712F 
0xB179C8Bl 
0x58B0E858 
0x33665533 
0x9F25BA9F 
0x38704838 
0xF3FD0EF3 
0x4488CC44 
0xl9322B19 
0x903BAB90 
0x0B161D0B 
0x24486C24 
0xE4D337E4 
0x4E9CD24E 
0xAE47E9AE 
0xB473C7B4 
0x8B0D868B 
0xF6F701F6 
0xlD3A271D 
0x8E07898E 
0x28507828 
0x4284C642 
0xBB6DD6BB 



0xl52A3F15, 
0x9A2FB59A, 
0x75EA9F75, 
0xA05BFBA0, 
0x84139784, 
0x5BB6ED5B, 
0xCF854ACF, 
0x85119485, 
0xA84BE3A8, 
0xF5F104F5, 
0xD2BF6DD2, 
0xl72E3917, 
0x73E69573, 
0x880B8388, 
0xDBAD7 6DB, 
0x5CB8E45C, 
0x79F28B79, 
0xA949E0A9, 
0x08101808, 
0xC69751C6, 
0x8A0F858A, 
0x0ElC120E, 
0x9E27B99E, 
0x9433A794, 
0xDFA57ADF, 
0x68D0B868, 
0xl62C3A16 



{ 

0xC6A56363 
0x60503030 
0x8F45CACA 
0x41ECADAD 
0x75C2B7B7 
0x685C3434 
0x080C0404 
OxOE090707 
0xl21B0909 
0xA4F65252 
0xA6F55353 
0xD4BE6A6A 
0xBB6BD0D0 
0x8ACF4545 
0xA2F35151 
0x63DFBCBC 
0x814CCDCD 
0x9357C4C4 
0xC0A06060 
0x8CCA4646 
0xDB3BE0E0 
0x9F5DC2C2 
0xD532E7E7 
0xD8B46C6C 
0x6FD5BABA 
0xCB23E8E8 
0xE0907070 
0xC2A36161 
0xD938ElEl 
0x2DB69B9B 
0x038F8C8C 
0x82C34141 



0xF8847C7C 
0x02030101 
0xlF9D8282 
0xB367D4D4 
OxEllCFDFD 
0x51F4A5A5 
0x9552C7C7 
0x24361212 
0xlD9E8383 
0x764D3B3B 
0xB968DlDl 
0x8D46CBCB 
OxC52AEFEF 
0xE910F9F9 
0x5DFEA3A3 
0x77ClB6B6 
0xl8140C0C 
Ox55F2A7A7 
0x19988181 
0xC729EEEE 
0x64563232 
0xBD6ED3D3 
0x8B43C8C8 
0xACFA5 65 6 
0xF0887878 
OxA17CDDDD 
0x7C423E3E 
0x6A5F3535 
0xEB13F8F8 
0x3C221ElE 
0x59F8AlAl 
0x29B09999 



0xEE997777 
0xCEA96767 
0x8940C9C9 
0x5FFDA2A2 
0x3DAE9393 
0xD134E5E5 
0x46652323 
0xlB9B8080 
0x58742C2C 
0xB761D6D6 
0000000000 
0x67D9BEBE 
0x4FE5AAAA 
0x04060202 
0x80C04040 
0xAF7 5DADA 
0x26351313 
0xFC827E7E 
Ox9ED14F4F 
0x6BD3B8B8 
0x744E3A3A 
0x43EFACAC 
0x6E593737 
0xF307F4F4 
0x4A6F2525 
0xE89C7474 
Ox71C4B5B5 
0xAEF95757 
0x2BB39898 
0x15928787 
0x09808989 
0x5A772D2D 



0xF68D7B7B 
0x567D2B2B 
0xFA877D7D 
0x4 5EAAFAF 
0x4C6A2626 
0xF908FlFl 
0x9D5EC3C3 
OxDF3DE2E2 
0x342E1A1A 
Ox7DCEB3B3 
0xC12CEDED 
0x724B3939 
0xED16FBFB 
0xFE817F7F 
0x058A8F8F 
0x42632121 
0xC32FECEC 
0x7A473D3D 
0xA37FDCDC 
0x283C1414 
0xl41E0A0A 
0xC4A66262 
0xDAB76D6D 
OxCF25EAEA 
0x5C722E2E 
0x3E211FlF 
0xCCAA6666 
0x69D0B9B9 
0x22331111 
0xC920E9E9 
0xlA170D0D 
OxlEllOFOF 



OxFFODF2F2 
0xE719FEFE 
0xEF15FAFA 
0x23BF9C9C 
0x6C5A3636 
0xE2937171 
0x30281818 
0xCD26EBEB 
0x362D1B1B 
0x527B2929 
0x40602020 
Ox94DE4A4A 
0x86C54343 
0xA0F05050 
0x3FAD9292 
0x20301010 
0xBEE15F5F 
0xC8AC6464 
0x44662222 
0xA779DEDE 
0x92DB4949 
0x39A89191 
0x018C8D8D 
0xCAAF6565 
0x38241ClC 
0x96DD4B4B 
0x90D84848 
0x17918686 
0xD2BB6969 
0x8749CECE 
0x65DABFBF 
0x7BCBB0B0 



0xD6BD6B6B 
0xB562D7D7 
0xB2EB5959 
Ox53F7A4A4 
0x7E413F3F 
0xAB73D8D8 
0x37A19696 
0x4E692727 
0xDCB26E6E 
0xDD3EE3E3 
0xE31FFCFC 
0x98D44C4C 
0x9AD74D4D 
0x78443C3C 
0x21BC9D9D 
0xE51AFFFF 
0x35A29797 
0xBAE75D5D 
Ox547E2A2A 
0xBCE25E5E 
0x0C0A0606 
0x31A49595 
0xB164D5D5 
0xF48E7A7A 
0x57FlA6A6 
0x61DCBDBD 
0x06050303 
0x9958ClCl 
0xA970D9D9 
OxAAFF5555 
0xD731E6E6 
0xA8FC5454 



0xDEB16F6F 
0x4DE6ABAB 
0x8EC94747 
0xE4967272 
0xF502F7F7 
0x62533131 
0x0A0F0505 
0x7FCDB2B2 
0xB4EE5A5A 
Ox5E712F2F 
0x79C8BlBl 
0xB0E85858 
0x66553333 
0x25BA9F9F 
0x70483838 
0xFD0EF3F3 
0x88CC4444 
0x322B1919 
0x3BAB9090 
0xl61D0B0B 
0x486C2424 
0xD337E4E4 
0x9CD24E4E 
0x47E9AEAE 
Ox73C7B4B4 
0x0D868B8B 
0xF701F6F6 
0x3A271DlD 
0x07898E8E 
0x50782828 
0x84C64242 
0x6DD6BBBB 



0x9154C5C5, 
0xEC9A7676, 
OxFBOBFOFO, 
0x9B5BC0C0, 
0x834FCCCC, 
Ox2A3F1515, 
0x2FB59A9A, 
0xEA9F7575, 
0x5BFBA0A0, 
0x13978484, 
0xB6ED5B5B, 
0x854ACFCF, 
0x11948585, 
0x4BE3A8A8, 
OxF104F5F5, 
0xBF6DD2D2, 
0x2E391717, 
0xE6957373, 
OxOB838888, 
0xAD76DBDB, 
0xB8E45C5C, 
0xF28B7979, 
0x49E0A9A9, 
0x10180808, 
0x9751C6C6, 
0x0F858A8A, 
0xlC120E0E, 
0x27B99E9E, 
0x33A79494, 
0xA57ADFDF, 
0xD0B86868, 
0x2C3A1616 



}; 



static u32 fl_tab[4] [256] 



{ 

0x000 
0x000 
0x000 
0x000 
0x000 
0x000 
0x000 
0x000 
0x000 
0x000 
0x000 



00063, 

00030, 
OOOCA, 
OOOAD, 
000B7, 
00034, 
00004, 
00007, 
00009, 
00052, 
00053, 



0x000 

0x000 
0x000 
0x000 
0x000 
0x000 
0x000 
0x000 
0x000 
0x000 
0x000 



0007C, 
00001, 
00082, 
000D4, 
OOOFD, 
000A5, 
000C7, 
00012, 
00083, 
0003B, 
000D1, 



0x000 

0x000 
0x000 
0x000 
0x000 
0x000 
0x000 
0x000 
0x000 
0x000 
0x000 



00077, 
00067, 
000C9, 
000A2, 
00093, 
000E5, 
00023, 
00080, 
0002C, 
000D6, 
00000, 



0x000 

0x000 
0x000 
0x000 
0x000 
0x000 
0x000 
0x000 
0x000 
0x000 
0x000 



0007B, 

0002B, 
0007D, 
00 OAF, 
00026, 
000F1, 
000C3, 
000E2, 
0001A, 
000B3, 
OOOED, 



0x000 

0x000 
0x000 
0x000 
0x000 
0x000 
0x000 
0x000 
0x000 
0x000 
0x000 



000F2, 
OOOFE, 
OOOFA, 
0009C, 
00036, 
00071, 
00018, 
OOOEB, 
0001B, 
00029, 
00020, 



0x000 

0x000 
0x000 
0x000 
0x000 
0x000 
0x000 
0x000 
0x000 
0x000 
0x000 



0006B, 

000D7, 
00059, 
000A4, 
0003F, 
000D8, 
00096, 
00027, 
0006E, 
000E3, 
OOOFC, 



0x000 

0x000 
0x000 
0x000 
0x000 
0x000 
0x000 
0x000 
0x000 
0x000 
0x000 



0006F, 
OOOAB, 

00047, 
00072, 
000F7, 
00031, 
00005, 
000B2, 
0005A, 
0002F, 
000B1, 



0x000 

0x000 
0x000 
0x000 
0x000 
0x000 
0x000 
0x000 
0x000 
0x000 
0x000 



000C5, 
00076, 
OOOFO, 
OOOCO, 
OOOCC, 
00015, 
0009A, 
00075, 
OOOAO, 
00084, 
0005B, 
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0x0000006A, 0x000000CB,0x000000BE, 0x0000003 9, 0x0000004A, 0x0000004C, 0x00000058, OxOOOOOOCF, 
OxOOOOOODO, OxOOOOOOEF, OxOOOOOOAA, OxOOOOOOFB, 0x00000043, Ox0000004D, 0x00000033, 0x00000085, 
0x00000045, 0x000000F9, 0x00000002, Ox0000007F, 0x00000050, 0x0000003C,0x0000009F,0x000000A8, 
0x0000005 1,0x0 000 0A3, 0x0 000 04 0,0x0 0000 8F, 0x000000 92, 0x000000 9D, 0x00000 03 8, 0x0 0000F5, 
OxOOOOOOBC, 0x00000 0B6, OxOOOOOODA, 0x00000021,0x00000010, OxOOOOOOFF, 0x00000 0F3, 0x00000 0D2, 
OxOOOOOOCD, OxOOOOOOOC, 0x00000013, OxOOOOOOEC, 0x0 00 00 05F, 0x00 00 00 97, 0x0 00 00 044, 0x00000017, 
0x00000 0C4, OxOOOOOOA7, Ox0000007E, 0x0 0000 03D, 0x000000 64, Ox0000005D, 0x00000019, 0x00000073, 
0x00000060, 0x00000081, Ox0 00 04F, OxOOOOOODC, 0x00000022, 0x0000002A, 0x00000090,0x00000088, 
0x00000046, OxOOOOOOEE, 0x00000 0B8, 0x00000014, 0x0 00 ODE, 0x000000 5E, 0x000000 OB, OxOOOOOODB, 
OxOOOOOOEO, 0x00000032, 0x0000003A,0x0000000A, 0x00000049, 0x00000006, 0x00 00 0024, 0x0 00 00 05C, 
0x000000C2,0x000000D3,0x000000AC, 0x00000062, 0x00000091, 0x00000095, OxOOOOOOE4, 0x00000079, 
0x000000E7, 0x000000C8, 0x00000037, 0x0000006D, 0x0000008D, 0x000000D5, Ox0000004E, 0x000000A9, 
0x00 0000 6C, 0x000 0005 6, 0x00 00 00F4, 0x0 OOOOOEA, 0x000000 65, 0x000 0007A, 0x00000 OAE, 0x00000008, 
OxOOOOOOBA, 0x0 00 00 07 8,0x00 000025, 0x0000002E, 0x00 00 00 1C, 0x0 00 00 0A6, 0x0000 00B4, 0x000000C6, 
0x00000 OE 8, OxOOOOOODD, 0x00000074, 0x000000 IF, 0x000000 4B, OxOOOOOOBD, 0x000000 8B, 0x000000 8A, 
0x0 00 0007 0, 0x00 003E, 0x000 0B5, 0x0000 66, 0x0 00004 8, 0x00 00 00 03, 0x000 0F6, 0x0000 00 OE, 
0x00000061, 0x00000035, 0x00000057, 0x000000B9, 0x00000086, OxOOOOOOCl, OxOOOOOOlD, 0x000000 9E, 
0x000000El,0x000000F8, 0x00000098, 0x00000011, 0x00000069, 0x000000D9,0x0000008E, 0x00000094, 
0x0000009B, OxOOOOOOlE, 0x00000087, 0x000000E9, OxOOOOOOCE, 0x00000055, 0x0 0000028, OxOOOOOODF, 
0x0000008C,0x000000Al, 0x0 00 00 8 9, OxOOOOOOOD, OxOOOOOOBF, 0x000000E6, 0x00000042, 0x00000068, 
0x00000041, 0x00000099, 0x000000 2D, 0x000000 OF, 0x00000 OBO, 0x00000054, OxOOOOOOBB, 0x00000016 
}, 
{ 

0x00006300, 0x00 007C00, 0x0 00 077 0, 0x00 007B00, 0x0000F200, 0x00 00 6B00, 0x00006F00, OxOOOOC500, 
0x00003 00,0x0 0000100,0x00 00 67 00,0x0 00 02B0 0,0x0000FE00,0x0 00 0D7 0,0x0000AB00,0x0 00 07 600, 
OxOOOOCAOO, 0x00008200, 0x0 0C90 0, Ox0 07DOO, OxOOOOFAOO, 0x0 0005900, 0x0 0004700, OxOOOOFOOO, 
OxOOOOADOO, 0x000 0D400, 0x0000A200, OxOOOOAFOO, 0x00009C00, OxOOOOA400, 0x00007200, OxOOOOCOOO, 
0x0000B700,0x0000FD00, 0x0000 9300, 0x00002 600, 0x00003 600, 0x000 03F0 0, 0x0 000F700, 0x0 OOOCCOO, 
0x00003400, 0x0000A500, 0x0000E500, OxOOOOFlOO, 0x00007100, 0x0000D800, 0x00003100, 0x00001500, 
0x00000400, OxOOOOC700, 0x00002300, 0x0000C300, 0x00001800, 0x00009600, 0x00000500, 0x00009A00, 
0x00000700, 0x00 0012 00, 0x00008000, 0x0 0E2 0, OxOOOOEBOO, 0x00 02700, 0x0000B200, 0x00007500, 
0x00000900, 0x00008300, 0x00002C00, OxOOOOlAOO, OxOOOOlBOO, 0x00006E00, Ox00005AOO, OxOOOOAOOO, 
0x00005200, 0x00003B00,0x0000D600,0x0000B300, 0x00002900, 0x0000E300,0x00002F00, 0x00008400, 
0x000053 00, OxOOOODlOO, 0000 0000 0, OxOOOOEDOO, 0x000 02 00 0, 0x00 OOFCOO, 0x00 0B100, 0x0 005B00, 
0x00 00 6A0 0, OxOOOOCBOO, OxOOOOBEOO, 0x000 03 90 0, 0x0 04A0 0, Ox0 04COO, 0x00005800, OxOOOOCFOO, 
OxOOOODOOO, OxOOOOEFOO, OxOOOOAAOO, OxOOOOFBOO, 0x0 0430 0, 0x0 0004D0 0, 0x00003300,0x00008500, 
0x00004500, 0x0000F900, 0x00000200, Ox00007FOO, 0x00005000, 0x00003C00,0x00009F00,0x0000A800, 
0x00005100, 0x0000A300, 0x00004000, 0x00008F00, 0x00009200, 0x00009D00, 0x00003800, 0x0000F500, 
OxOOOOBCOO, 0x000 0B600, OxOOOODAOO, 0x00002100,0x00001000, OxOOOOFFOO, 0x000 0F300, 0x000 0D200, 
OxOOOOCDOO,OxOOOOOCOO, 0x00001300, OxOOOOECOO, 0x00005F00, 0x00009700, 0x0 0004400, 0x0 0001700, 
OxOOOOC400, OxOOOOA700, 0x000 07E0 0, 0x00 003D00, 0x00006400, Ox0 05DOO, 0x00001900, 0x00007300, 
0x0 00 600 0, 0x00008100, 0x0 00 04F0 0, OxOOOODCOO, 0x00002200, 0x00 02A00, 0x0 00 900 0, 0x00008800, 
0x00004600, OxOOOOEEOO, 0x0 00 0B800, 0x0 0001400, OxOOOODEOO, 0x0000 5E 00, OxOOOOOBOO, OxOOOODBOO, 
OxOOOOEOOO, 0x000032 00, 0x00003A00, OxOOOOOAOO, 0x00004900, 0x00000600, 0x00002400, 0x00005C00, 
0x0000C200,0x0000D300,0x0000AC00, 0x00006200, 0x00009100, 0x00009500, 0x0000E400, 0x00007900, 
0x0000E7 00, 0x0000C800, 0x00003700, 0x0 00 6D0 0, 0x00 00 8D00, 0x0000D50 0, 0x00004E00, 0x000 0A90 0, 
0x0000 6C00, 0x00005600, 0x0 000F400, 0x00 OOEAOO, 0x00006500, 0x00007A00, OxOOOOAEOO, 0x00000800, 
OxOOOOBAOO, 0x00007800,0x00002500, 0x00002E00, OxOOOOlCOO, 0x0 0A60 0, 0x0 000B4 00, 0x0000C600, 
0x000 OE 800, OxOOOODDOO, 0x00007400, 0x0000 IF 00, 0x0000 4B00, OxOOOOBDOO, 0x0 00 8B0 0, 0x00 8A00, 
0x00 007 00, 0x0 00 03E0 0, 0x0000B5 00, 0x0 00 660 0,0x00004 8 00, 0x0 00 003 00, 0x00 0F600, 0x0 OOOOEOO, 
0x00006100, 0x00003500, 0x0 00057 00, 0x0000B900, 0x0000 8 60 0, OxOOOOClOO, OxOOOOlDOO, 0x00009E00, 
0x0000E100,0x0000F800, 0x00009800, 0x00001100, 0x00006900, 0x0000D900,0x00008E00, 0x00009400, 
0x00009B00, 0x0000 1E00, 0x00008700, 0x0 0E90 0, OxOOOOCEOO, 0x0 0005500, 0x0 0002800, OxOOOODFOO, 
0x0000 8C0 0,0x0000A100, 0x0 000 8 90 0, OxOOOOODOO, OxOOOOBFOO, 0x0000E600, 0x00004200, 0x00006800, 
0x00004100, 0x00009900, 0x0000 2D00, 0x0 000 OFOO, 0x000 OBOOO, 0x000054 00, OxOOOOBBOO, 0x00001600 
}, 
{ 

0x00630000, Ox007COOOO, 0x00770000, 0x007B0 00, 0x0 0F2 000, 0x00 6B0 000, 0x006F0000, OxOOC50000, 
0x00300 00 0, 0x00 01 0000, 0x00 67 000 0,0x002B00 00, 0x0 OFEOOOO, OxOOD7 0000, OxOOABOOO 0,0x007 60000, 
OxOOCAOOOO, 0x00820000, 0x00C90000, 0x0 07D0 000, OxOOFAOOOO, 0x00590000, 0x00470000, OxOOFOOOOO, 
OxOOADOOOO, OxOOD4 00, 0x00A20000, OxOOAFOOOO, 0x009C0000, OxOOA4 00, 0x0 0720000, 0x0 OCO 0000, 
0x00B70000,0x00FD0000, 0x0 93 000 0,0x002 60000, 0x003 60000, 0x003F0000, 0x00F70000, OxOOCCOOOO, 
0x00340000, OxOOA50000, 0x00E50000, OxOOFlOOOO, 0x00710000, 0x00D80000, 0x00310000, 0x00150000, 
0x0004 00 00, 0x0 0C7 000, 0x00230000, 0x0 0C3 0000, 0x00180000, 0x00960000, 0x00050000, 0x009A0000, 
0x00070000, 0x00120000, 0x00800000, 0x00E20000, OxOOEBOOOO, 0x00270000, 0x00B20000, 0x00750000, 
0x0 00 90 000, 0x00830000, 0x0 02C0 0, 0x00 1A0 00, 0x0 1B0 0, 0x00 6E00 00, 0x0 05A0 0, 0x0 OAOOO 00, 
0x00520000, 0x003B0000,0x00D60000,0x00B30000, 0x00290000, 0x00E30000,0x002F0000, 0x00840000, 
0x00530000, 0x0 0D1 0000, 0000000000, OxOOEDOOOO, 0x00200000, OxOOFCOOOO, OxOOBlOOOO, 0x005B0000, 
0x006A0000, OxOOCBOOOO,OxOOBEOOOO, 0x00390000, Ox004AOOOO, Ox004COOOO, 0x00580000, OxOOCFOOOO, 
OxOODOOOOO, OxOOEFOOOO, OxOOAAOOOO, OxOOFBOOOO, 0x00430000, Ox004DOOOO, 0x00330000,0x00850000, 
0x00450000, 0x00F90000, 0x00020000, Ox007FOOOO, 0x00500000, 0x003C0000,0x009F0000,0x00A80000, 
0x00510000, 0x00A30000, 0x00400000, 0x008F0000, 0x00920000, 0x009D0000, 0x00380000, 0x00F50000, 
OxOOBCOOOO, 0x00B60000, OxOODAOOOO, 0x00210000,0x00100000, OxOOFFOOOO, 0x0 0F3 0000, 0x00D20000, 
OxOOCDOOOO, OxOOOCOOOO, 0x0 013 00 0, 0x0 OECOO 00, 0x005F0000, 0x00 9700 00, 0x0 0440 00 0,0x001700 00, 
OxOOC40000, OxOOA70000, Ox007EOOOO, 0x003D0000, 0x00640000, Ox005DOOOO, 0x00190000, 0x00730000, 
0x00 60 0000, 0x00810000, 0x004F0000, OxOODCOOOO, 0x0 02200 00, 0x002A0 000, 0x00 90000 0, 0x00 8 8 0000, 
0x00460000, OxOOEEOOOO, 0x0 0B80000, 0x00140000, OxOODEOOOO, 0x00 5E 0000, 0x0 OOBOOOO, OxOODBOOOO, 
OxOOEOOOOO, 0x0 03200 00, 0x0 03A0 000, OxOOOAOOO 0,0x0 04 90 0,0x00 6000 0,0x0 024 0000, 0x0 05C0000, 
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0x00C20000, 
OxOOE70000, 
0x006C0000, 
OxOOBAOOOO, 
OxOOE80000, 
0x00700000, 
0x00610000, 
OxOOElOOOO, 
0x009B0000, 
0x008C0000, 
0x00410000, 



0x00D30000, 

0x00C80000, 
0x00560000, 
0x00780000, 
OxOODDOOOO, 
0x003E0000, 
0x00350000, 
0x00F80000, 
OxOOlEOOOO, 
OxOOAlOOOO, 
0x00990000, 



OxOOACOOOO, 

0x00370000, 
0x00F40000, 
0x00250000, 
0x00740000, 
OxOOB50000, 
0x00570000, 
0x00980000, 
0x00870000, 
0x00890000, 
0x002D0000, 



0x00620000, 

0x006D0000, 
OxOOEAOOOO, 
0x002E0000, 
OxOOlFOOOO, 
0x00660000, 
0x00B90000, 
0x00110000, 
0x00E90000, 
OxOOODOOOO, 
OxOOOFOOOO, 



0x00910000, 

0x008D0000, 
0x00650000, 
OxOOlCOOOO, 
0x004B0000, 
0x00480000, 
0x00860000, 
0x00690000, 
OxOOCEOOOO, 
OxOOBFOOOO, 
OxOOBOOOOO, 



0x00950000, 

0x00D50000, 
Ox007AOOOO, 
0x00A60000, 
OxOOBDOOOO, 
0x00030000, 
OxOOClOOOO, 
0x00D90000, 
0x00550000, 
0x00E60000, 
0x00540000, 



0x00E40000, 
0x004E0000, 
OxOOAEOOOO, 
OxOOB40000, 
0x008B0000, 
0x00F60000, 
OxOOlDOOOO, 
0x008E0000, 
0x00280000, 
0x00420000, 
OxOOBBOOOO, 



0x00790000, 
0x00A90000, 
0x00080000, 
0x00C60000, 
0x008A0000, 
OxOOOEOOOO, 
0x009E0000, 
0x00940000, 
OxOODFOOOO, 
0x00680000, 
0x00160000 



{ 

0x630 

0x300 

OxCAO 

OxADO 

OxB70 

0x340 

0x040 

0x070 

0x090 

0x520 

0x530 

0x6A0 

OxDOO 

0x450 

0x510 

OxBCO 

OxCDO 

OxC40 

0x600 

0x460 

OxEOO 

0xC20 

OxE70 

0x6C0 

OxBAO 

OxE80 

0x700 

0x610 

OxElO 

0x9B0 

0x8C0 

0x410 



00000, 

00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 



Ox7CO 
0x010 
0x820 
0xD40 
OxFDO 
0xA5 
OxC70 
0x120 
0x830 
0x3B0 
OxDIO 
OxCBO 
OxEFO 
0xF90 
0xA3 
0xB60 
OxOCO 
OxA7 
0x810 
OxEEO 
0x320 
0xD30 
0xC80 
0x560 
0x780 
OxDDO 
0x3E0 
0x350 
OxF80 
OxlEO 
OxAlO 
0x990 



00000, 

00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 



0x770 
0x670 
0xC90 
0xA2 
0x930 
0xE50 
0x230 
0x800 
0x2C0 
0xD60 
00000 
OxBEO 
OxAAO 
0x020 
0x400 
OxDAO 
0x130 
0x7E0 
Ox4FO 
OxB80 
0x3A0 
OxACO 
0x370 
OxF40 
0x250 
0x740 
OxB50 
0x570 
0x980 
0x870 
0x890 
0x2D0 



00000 

00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 



0x7B0 
0x2B0 
0x7D0 
OxAFO 
0x260 
OxFlO 
0xC30 
0xE20 
OxlAO 
0xB30 
OxEDO 
0x390 
OxFBO 
Ox7FO 
0x8F0 
0x210 
OxECO 
0x3D0 
OxDCO 
0x140 
OxOAO 
0x620 
0x6D0 
OxEAO 
0x2E0 
OxlFO 
0x660 
0xB90 
0x110 
0xE90 
OxODO 
OxOFO 



00000 

00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 



OxF20 
OxFEO 
OxFAO 
0x9C0 
0x360 
0x710 
0x180 
OxEBO 
OxlBO 
0x290 
0x200 
Ox4AO 
0x430 
0x500 
0x920 
0x100 
0x5F0 
0x640 
0x220 
OxDEO 
0x490 
0x910 
0x8D0 
0x650 
OxlCO 
0x4B0 
0x480 
0x860 
0x690 
OxCEO 
OxBFO 
OxBOO 



00000 

00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 



0x6B0 
0xD70 
0x590 
OxA4 
0x3F0 
0xD80 
0x960 
0x270 
0x6E0 
0xE30 
OxFCO 
Ox4CO 
Ox4DO 
0x3C0 
0x9D0 
OxFFO 
0x970 
Ox5DO 
0x2A0 
Ox5EO 
0x060 
0x950 
0xD50 
Ox7AO 
0xA60 
OxBDO 
0x030 
OxCIO 
0xD90 
0x550 
0xE60 
0x540 



00000 

00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 



0x6F0 
Ox ABO 
0x470 
0x720 
0xF70 
0x310 
0x050 
0xB20 
Ox5AO 
0x2F0 
OxBlO 
0x580 
0x330 
0x9F0 
0x380 
0xF30 
0x440 
0x190 
0x900 
OxOBO 
0x240 
0xE40 
Ox4EO 
OxAEO 
0xB40 
0x8B0 
0xF60 
OxlDO 
0x8E0 
0x280 
0x420 
OxBBO 



00000 

00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 



OxC50 
0x760 
OxFOO 
OxCOO 
OxCCO 
0x150 
0x9A0 
0x750 
OxAOO 
0x840 
0x5B0 
OxCFO 
0x850 
0xA80 
0xF50 
0xD20 
0x170 
0x730 
0x880 
OxDBO 
Ox5CO 
0x790 
0xA90 
0x080 
0xC60 
0x8A0 
OxOEO 
0x9E0 
0x940 
OxDFO 
0x680 
0x160 



00000, 

00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000 



}; 



The workspace 



static u32 Ekey [44] ; 



/* The expanded key */ 



/* The round Function. 

#define f_rnd(x, n) 

( ft_tab[0] [byteO (x[n] ) ] 
" ft_tab[l] [bytel (x[ (n + 1) 
A ft_tab[2] [byte2 (x[ (n + 2) 
A ft_tab[3] [byte3 (x[ (n + 3) 



4 table lookups and 4 Exors 



3): 
3i: 
3]: 



#define f_round(bo, bi, k) 



bo[0] = 
bo[l] = 
bo[2] = 
bo [3] = 
k += 4 



f_rnd {bi, 
f_rnd {bi, 
f_rnd {bi, 
f_rnd {bi, 



0) 
1) 
2) 
3) 



k[0] 
k[l] 
k[2] 
k[3] 



/* The S Box lookup used in constructing the Key schedule */ 

#define ls_box(x) \ 

( fl_tab[0] [byteO (x) ] \ 

A fl_tab[l] [bytel (x) ] \ 

A fl_tab[2] [byte2 (x) ] \ 

" fl_tab[3] [byte3 (x) ] ) 



/* The last round function (no MixColumn) 

#define lf_rnd(x, n) \ 

( fl_tab[0] [byteO (x[n] ) ] \ 

A fl_tab[l] [bytel (x[ (n + 1) & 3])] \ 

A fl_tab[2] [byte2 (x[ (n + 2) & 3])] \ 
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fl_tab[3] [byte3(x[ (n + 3) & 3])] ) 



* Ri jndaelKeySchedule 

* Initialise the key schedule from a supplied key 
*/ 

void Ri jndaelKeySchedule (u8 key [16]) 
{ 

u32 t; 

u32 *ek=Ekey, /* pointer to the expanded key */ 
*rc=rnd_con; /* pointer to the round constant */ 



Ekey [0] = u32„in(key ) 

Ekey[l] = u32_in (key + 4) 

Ekey[2] = u32_in (key + 8) 

Ekey[3] = u32_in (key + 12) 



while (ek < Ekey + 40) 
{ 

t = rot3 (ek[3] ) ; 

ek[4] = ek[0] A ls_bOx(t) 

ek[5] = ek[l] A ek[4] ; 

ek[6] = ek[2] A ek[5] ; 

ek[7] = ek[3] A ek[6] ; 

ek += 4; 



* Ri jndaelEncrypt 

* Encrypt an input block 
*/ 

void Ri jndaelEncrypt (u8 in[16], u8 out [16]) 
{ 



u32 



bO [4] , bl [4] , *kp = Ekey; 



b0[0] = u32_in(in ) A *kp++; 

b0[l] = u32_in(in + 4) " *kp++; 

b0[2] = u32_in(in + 8) " *kp++; 

b0[3] = u32_in(in + 12) " *kp++; 



f 


.round (bl, 


bO, 


kp 


f. 


.round (bO, 


bl, 


kp 


f_ 


.round (bl, 


bO, 


kp 


f 


.round (bO, 


bl, 


kp 


f 


.round (bl, 


bO, 


kp 


f. 


.round (bO, 


bl, 


kp 


f. 


.round (bl, 


bO, 


kp 


f 


.round (bO, 


bl, 


kp 


f. 


.round (bl, 


bO, 


kp 



u32_out(out, lf_rnd(bl, 0) A kp[0]). 

u32_out(out + 4, lf_rnd(bl, 1) A kp [ 1 ] ) 

u32_out (out + 8, lf_rnd(bl, 2) A kp[2]). 

u32_out(out + 12, lf_rnd(bl, 3) " kp[3]). 
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Annex A (informative); 
Change history 
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